2017-09-01 04:40:03 |
Felipe Monteiro |
description |
Currently, Patrole switches the role for the primary Tempest creds
in order to do RBAC testing validation. This is a harmless act
when using dynamic credentials, as they are deleted after test
execution anyway.
However, when using pre-provisioned credentials, this means that the
roles for the set of credentials included in the accounts.yaml file
is permanently changed -- even after test execution. The credentials
in the accounts.yaml acquire the test role defined by `[patrole]
rbac_test_role` but lose the original roles before running any
Patrole tests. This means that it is entirely possible that the
roles enumerated in the accounts.yaml may be wrong after test
execution. Thus, Patrole testing can cause the pre-provisioned
credentials to behave unexpectedly when running, for example,
regular Tempest tests using the same credentials.
Because this behavior is undesirable, Patrole should restore any
credentials changed during test execution after test execution
using the `atexit` module which calls the `_restore_credentials`
callback on interpreter termination.
Note that this is not a bulletproof solution because, as the `atexit`
docs mention [0]:
The functions registered via this module are not called when the
program is killed by a signal not handled by Python, when a Python
fatal internal error is detected, or when os._exit() is called.
Under normal circumstances, however, this commit ensures that the
credentials that are modified during test execution are restored
to their original values if pre-provisioned credentials are set up
in tempest.conf.
Note that this behavior can best be confirmed when using one set
of primary/admin creds in the accounts.yaml file and running the
tests serially so that the creds that are modified belong to the
only Member-role creds defined in the accounts.yaml file.
[0] https://docs.python.org/2/library/atexit.html |
Currently, Patrole switches the role for the primary Tempest creds
in order to do RBAC testing validation. This is a harmless act
when using dynamic credentials, as they are deleted after test
execution anyway.
However, when using pre-provisioned credentials, this means that the
roles for the set of credentials included in the accounts.yaml file
is permanently changed -- even after test execution. The credentials
in the accounts.yaml acquire the test role defined by `[patrole]
rbac_test_role` but lose their original roles after running any
Patrole tests. This means that it is entirely possible that the
roles enumerated in the accounts.yaml may be wrong after test
execution. Thus, Patrole testing can cause the pre-provisioned
credentials to behave unexpectedly when running, for example,
regular Tempest tests using the same credentials.
Because this behavior is undesirable, Patrole should restore any
credentials changed during test execution after test execution
using the `atexit` module which calls the `_restore_credentials`
callback on interpreter termination.
Note that this is not a bulletproof solution because, as the `atexit`
docs mention [0]:
The functions registered via this module are not called when the
program is killed by a signal not handled by Python, when a Python
fatal internal error is detected, or when os._exit() is called.
Under normal circumstances, however, this commit ensures that the
credentials that are modified during test execution are restored
to their original values if pre-provisioned credentials are set up
in tempest.conf.
Note that this behavior can best be confirmed when using one set
of primary/admin creds in the accounts.yaml file and running the
tests serially so that the creds that are modified belong to the
only Member-role creds defined in the accounts.yaml file.
[0] https://docs.python.org/2/library/atexit.html |
|